Verifying that protections are enabled

To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.

Note These verification steps only apply to Windows client and not to Azure instances. For further cloud guidance, see the Azure blog.

Switch | Registry Settings

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.

* Note setting of 3 is accurate for both enable/disable settings due to masking.

Disable mitigation against Spectre Variant 2

While Intel tests, updates, and deploys new microcode, we are offering a new option for advanced users on impacted devices to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes.

If you have installed the microcode, but want to disable CVE-2017-5715 – Branch target injection mitigation due to unexpected reboots and/or system stability issues, use the following instructions.